Author: jgenender
Date: Sun Apr 17 10:01:00 2005
New Revision: 161667
URL: http://svn.apache.org/viewcvs?view=rev&rev=161667
Log:
Updated to use new security gbean and removed parameter in container to set the
endorsed dir (it never worked)
Modified:
geronimo/trunk/modules/tomcat/project.xml
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatContainer.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatWebAppContext.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
geronimo/trunk/modules/tomcat/src/plan/tomcat-plan.xml
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/JACCSecurityTest.java
Modified: geronimo/trunk/modules/tomcat/project.xml
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/project.xml?view=diff&r1=161666&r2=161667
==============================================================================
--- geronimo/trunk/modules/tomcat/project.xml (original)
+++ geronimo/trunk/modules/tomcat/project.xml Sun Apr 17 10:01:00 2005
@@ -116,6 +116,11 @@
</dependency>
<dependency>
<groupId>geronimo</groupId>
+ <artifactId>geronimo-security-builder</artifactId>
+ <version>${pom.currentVersion}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo</groupId>
<artifactId>geronimo-system</artifactId>
<version>${pom.currentVersion}</version>
</dependency>
Modified:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatContainer.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatContainer.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatContainer.java
(original)
+++
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatContainer.java
Sun Apr 17 10:01:00 2005
@@ -74,12 +74,7 @@
private Context defaultContext;
/**
- * The java.endorsed.dirs directories
- */
- private String endorsedDirs = System.getProperty("java.endorsed.dirs");
-
- /**
- * Used only to resolve the path to the endorsed standards dir
+ * Used only to resolve the paths
*/
private ServerInfo serverInfo;
@@ -111,10 +106,8 @@
public void doStart() throws Exception {
log.debug("doStart()");
- // set endorsed dirs (so it's not mandatory to set it up by a user
- // anymore)
- System.setProperty("java.endorsed.dirs",
serverInfo.resolvePath(getEndorsedDirs()));
-
+ log.info("Endorsed Dirs set to:" +
System.getProperty("java.endorsed.dirs"));
+
// The comments are from the javadoc of the Embedded class
// 1. Instantiate a new instance of this class.
@@ -218,14 +211,6 @@
System.setProperty("catalina.home", catalinaHome);
}
- public String getEndorsedDirs() {
- return endorsedDirs;
- }
-
- public void setEndorsedDirs(String endorsedDirs) {
- this.endorsedDirs = endorsedDirs;
- }
-
public void addConnector(Connector connector) {
embedded.addConnector(connector);
}
@@ -242,7 +227,6 @@
infoFactory.setConstructor(new String[] { "catalinaHome", "ServerInfo"
});
infoFactory.addAttribute("catalinaHome", String.class, true);
- infoFactory.addAttribute("endorsedDirs", String.class, true);
infoFactory.addReference("ServerInfo", ServerInfo.class, "GBean");
Modified:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
(original)
+++
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
Sun Apr 17 10:01:00 2005
@@ -76,13 +76,13 @@
private static final Log log =
LogFactory.getLog(TomcatGeronimoRealm.class);
- private String policyContextID = null;
- private PolicyConfigurationFactory factory = null;
- private PolicyConfiguration policyConfiguration = null;
- private Subject defaultSubject = null;
- private PermissionCollection checked = new Permissions();
- private Map roleDesignates = new HashMap();
- private String loginDomainName = null;
+ private final String policyContextID;
+ private final Subject defaultSubject;
+ private final DefaultPrincipal defaultPrincipal;
+ private final PermissionCollection checked;
+ private final PermissionCollection excluded;
+ private final Map roleDesignates;
+ private final String loginDomainName;
private Context context = null;
private static ThreadLocal currentRequest = new ThreadLocal();
@@ -98,15 +98,23 @@
protected static final String name = "TomcatGeronimoRealm";
public TomcatGeronimoRealm(String policyContextID,
- Security securityConfig,
+ DefaultPrincipal defaultPrincipal,
String loginDomainName,
- Set securityRoles,
- PermissionCollection uncheckedPermissions,
+ PermissionCollection checkedPermissions,
PermissionCollection excludedPermissions,
- Map rolePermissions) throws
PolicyContextException, ClassNotFoundException {
+ Map roleDesignates)
+ throws PolicyContextException, ClassNotFoundException {
+ assert policyContextID != null;
+ assert defaultPrincipal != null;
+
this.policyContextID = policyContextID;
- this.defaultSubject =
ConfigurationUtil.generateDefaultSubject(securityConfig.getDefaultPrincipal());
+ this.defaultPrincipal = defaultPrincipal;
+ this.loginDomainName = loginDomainName;
+ this.defaultSubject =
ConfigurationUtil.generateDefaultSubject(defaultPrincipal);
+ this.checked = checkedPermissions;
+ this.excluded = excludedPermissions;
+ this.roleDesignates = roleDesignates;
/**
* Register our default subject with the ContextManager
@@ -115,26 +123,7 @@
SubjectId id = ContextManager.getSubjectId(defaultSubject);
defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
- factory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
- policyConfiguration = factory.getPolicyConfiguration(policyContextID,
true);
-
- configure(uncheckedPermissions, excludedPermissions, rolePermissions);
- RoleMappingConfiguration roleMapper =
RoleMappingConfigurationFactory.getRoleMappingFactory().getRoleMappingConfiguration(policyContextID,
false);
- addRoleMappings(securityRoles, securityConfig, roleMapper);
- policyConfiguration.commit();
- this.loginDomainName = loginDomainName;
-
- Set allRolePermissions = new HashSet();
- for (Iterator iterator = rolePermissions.entrySet().iterator();
iterator.hasNext();) {
- Map.Entry entry = (Map.Entry) iterator.next();
- Set permissionsForRole = (Set) entry.getValue();
- allRolePermissions.addAll(permissionsForRole);
- }
- for (Iterator iterator = allRolePermissions.iterator();
iterator.hasNext();) {
- Permission permission = (Permission) iterator.next();
- checked.add(permission);
- }
- }
+ }
/**
* Enforce any user data constraint required by the security constraint
@@ -178,6 +167,7 @@
/**
* JACC v1.0 secion 4.1.1
*/
+ WebUserDataPermission wudp = new WebUserDataPermission(request);
acc.checkPermission(new WebUserDataPermission(request));
} catch (AccessControlException ace) {
@@ -468,93 +458,6 @@
}
- public void addRoleMappings(Set securityRoles, Security security,
RoleMappingConfiguration roleMapper) throws PolicyContextException,
GeronimoSecurityException {
-
- for (Iterator roleMappings =
security.getRoleMappings().values().iterator(); roleMappings.hasNext();) {
- Role role = (Role) roleMappings.next();
- String roleName = role.getRoleName();
- Set principalSet = new HashSet();
-
- if (!securityRoles.contains(roleName)) {
- throw new GeronimoSecurityException("Role does not exist in
this configuration");
- }
-
- Subject roleDesignate = new Subject();
-
- for (Iterator realms = role.getRealms().values().iterator();
realms.hasNext();) {
- Realm realm = (Realm) realms.next();
-
- for (Iterator principals = realm.getPrincipals().iterator();
principals.hasNext();) {
- org.apache.geronimo.security.deploy.Principal principal =
(org.apache.geronimo.security.deploy.Principal) principals.next();
-
- RealmPrincipal realmPrincipal =
ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
- if (realmPrincipal == null) {
- throw new GeronimoSecurityException("Unable to create
realm principal");
- }
-
- principalSet.add(realmPrincipal);
- if (principal.isDesignatedRunAs()) {
- roleDesignate.getPrincipals().add(realmPrincipal);
- }
- }
- }
-
- for (Iterator names = role.getDNames().iterator();
names.hasNext();) {
- DistinguishedName dn = (DistinguishedName) names.next();
-
- X500Principal x500Principal =
ConfigurationUtil.generateX500Principal(dn.getName());
-
- principalSet.add(x500Principal);
- if (dn.isDesignatedRunAs()) {
- roleDesignate.getPrincipals().add(x500Principal);
- }
- }
-
- roleMapper.addRoleMapping(roleName, principalSet);
-
- if (roleDesignate.getPrincipals().size() > 0) {
- setRoleDesignate(roleName, roleDesignate);
- }
- }
-
- /**
- * Register the role designates with the context manager.
- */
- for (Iterator iter = roleDesignates.keySet().iterator();
iter.hasNext();) {
- String roleName = (String) iter.next();
- Subject roleDesignate = (Subject) roleDesignates.get(roleName);
-
- ContextManager.registerSubject(roleDesignate);
- SubjectId id = ContextManager.getSubjectId(roleDesignate);
- roleDesignate.getPrincipals().add(new IdentificationPrincipal(id));
- }
-
- }
-
- private void setRoleDesignate(String roleName, Subject subject) {
- roleDesignates.put(roleName, subject);
- }
-
- private void configure(PermissionCollection uncheckedPermissions,
- PermissionCollection excludedPermissions,
- Map rolePermissions) throws
GeronimoSecurityException {
- try {
- policyConfiguration.addToExcludedPolicy(excludedPermissions);
- policyConfiguration.addToUncheckedPolicy(uncheckedPermissions);
- for (Iterator iterator = rolePermissions.entrySet().iterator();
iterator.hasNext();) {
- Map.Entry entry = (Map.Entry) iterator.next();
- String roleName = (String) entry.getKey();
- Set permissions = (Set) entry.getValue();
- for (Iterator iterator1 = permissions.iterator();
iterator1.hasNext();) {
- Permission permission = (Permission) iterator1.next();
- policyConfiguration.addToRole(roleName, permission);
- }
- }
- } catch (PolicyContextException e) {
- throw new GeronimoSecurityException(e);
- }
- }
-
/**
* Prepare for active use of the public methods of this
<code>Component</code>.
*
@@ -581,23 +484,8 @@
// Perform normal superclass finalization
super.stop();
- for (Iterator iter = roleDesignates.keySet().iterator();
iter.hasNext();) {
- String roleName = (String) iter.next();
- Subject roleDesignate = (Subject) roleDesignates.get(roleName);
-
- ContextManager.unregisterSubject(roleDesignate);
- }
+ // Remove the defaultSubject
ContextManager.unregisterSubject(defaultSubject);
-
- try {
-
- if (policyConfiguration != null)
- policyConfiguration.delete();
-
- } catch (PolicyContextException pce) {
- //Oh well, we tried
- }
-
}
public void setContext(Context context) {
Modified:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatWebAppContext.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatWebAppContext.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatWebAppContext.java
(original)
+++
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatWebAppContext.java
Sun Apr 17 10:01:00 2005
@@ -20,6 +20,7 @@
import java.net.URI;
import java.net.URL;
import java.security.PermissionCollection;
+import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
@@ -36,10 +37,12 @@
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.gbean.GBeanLifecycle;
import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.jacc.RoleDesignateSource;
import org.apache.geronimo.naming.reference.KernelAwareReference;
import org.apache.geronimo.naming.reference.ClassLoaderAwareReference;
import org.apache.geronimo.naming.java.SimpleReadOnlyContext;
import org.apache.geronimo.kernel.Kernel;
+import org.apache.geronimo.kernel.jmx.JMXUtil;
import org.apache.geronimo.tomcat.valve.ComponentContextValve;
import org.apache.geronimo.tomcat.valve.TransactionContextValve;
import org.apache.geronimo.tomcat.valve.PolicyContextValve;
@@ -47,13 +50,16 @@
import org.apache.geronimo.transaction.context.OnlineUserTransaction;
import org.apache.geronimo.transaction.context.TransactionContextManager;
import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.j2ee.management.J2EEApplication;
+import org.apache.geronimo.j2ee.management.J2EEServer;
+import org.apache.geronimo.j2ee.management.impl.InvalidObjectNameException;
+import javax.management.ObjectName;
import javax.naming.NamingException;
-
/**
* Wrapper for a WebApplicationContext that sets up its J2EE environment.
- *
+ *
* @version $Rev: 56022 $ $Date: 2004-10-30 07:16:18 +0200 (Sat, 30 Oct 2004) $
*/
public class TomcatWebAppContext implements GBeanLifecycle, TomcatContext {
@@ -63,39 +69,58 @@
protected final TomcatContainer container;
protected Context context = null;
+
private final URI webAppRoot;
+
private String path = null;
+
private String docBase = null;
private final LoginConfig loginConfig;
+
private final Realm tomcatRealm;
+
private final Set securityConstraints;
+
private final Set securityRoles;
+
private final Map componentContext;
+
private final Kernel kernel;
+
private final TransactionContextManager transactionContextManager;
+
private final String policyContextID;
- public TomcatWebAppContext(URI webAppRoot,
- URI[] webClassPath,
- URL configurationBaseUrl,
- LoginConfig loginConfig,
- Realm tomcatRealm,
- Set securityConstraints,
-
- String policyContextID,
- String loginDomainName,
- Security securityConfig,
- Set securityRoles,
- PermissionCollection uncheckedPermissions,
- PermissionCollection excludedPermissions,
- Map rolePermissions,
- Map componentContext,
- OnlineUserTransaction userTransaction,
- TransactionContextManager
transactionContextManager,
- TrackedConnectionAssociator
trackedConnectionAssociator,
- TomcatContainer container,
- Kernel kernel) throws NamingException {
+ private final RoleDesignateSource roleDesignateSource;
+
+ private final J2EEServer server;
+
+ private final J2EEApplication application;
+
+ public TomcatWebAppContext(
+ String objectName,
+ String originalSpecDD,
+ URI webAppRoot,
+ URI[] webClassPath,
+ URL configurationBaseUrl,
+ LoginConfig loginConfig,
+ Realm tomcatRealm,
+ Set securityConstraints,
+ String policyContextID,
+ String loginDomainName,
+ Security securityConfig,
+ Set securityRoles,
+ Map componentContext,
+ OnlineUserTransaction userTransaction,
+ TransactionContextManager transactionContextManager,
+ TrackedConnectionAssociator trackedConnectionAssociator,
+ TomcatContainer container,
+ RoleDesignateSource roleDesignateSource,
+ J2EEServer server,
+ J2EEApplication application,
+ Kernel kernel)
+ throws NamingException {
assert webAppRoot != null;
assert webClassPath != null;
@@ -117,10 +142,27 @@
this.componentContext = componentContext;
this.transactionContextManager = transactionContextManager;
+
+ this.roleDesignateSource = roleDesignateSource;
+ this.server = server;
+ this.application = application;
+
this.kernel = kernel;
+ ObjectName myObjectName = JMXUtil.getObjectName(objectName);
+ verifyObjectName(myObjectName);
+
+ if (tomcatRealm != null){
+ if (roleDesignateSource == null) {
+ throw new IllegalArgumentException("RoleDesignateSource must
be supplied for a secure web app");
+ }
+ }
+ userTransaction.setUp(transactionContextManager,
+ trackedConnectionAssociator);
- userTransaction.setUp(transactionContextManager,
trackedConnectionAssociator);
+ }
+ public String getServer() {
+ return server.getObjectName();
}
public String getDocBase() {
@@ -135,7 +177,7 @@
context.setDocBase(webAppRoot.getPath());
context.setPath(path);
- //Security
+ // Security
if (tomcatRealm != null) {
if (tomcatRealm instanceof TomcatGeronimoRealm) {
((TomcatGeronimoRealm) tomcatRealm).setContext(context);
@@ -167,13 +209,16 @@
javax.naming.Context enc = null;
try {
if (componentContext != null) {
- for (Iterator iterator = componentContext.values().iterator();
iterator.hasNext();) {
+ for (Iterator iterator = componentContext.values().iterator();
iterator
+ .hasNext();) {
Object value = iterator.next();
if (value instanceof KernelAwareReference) {
((KernelAwareReference) value).setKernel(kernel);
}
if (value instanceof ClassLoaderAwareReference) {
- ((ClassLoaderAwareReference)
value).setClassLoader(context.getLoader().getClassLoader());
+ ((ClassLoaderAwareReference) value)
+ .setClassLoader(context.getLoader()
+ .getClassLoader());
}
}
enc = new SimpleReadOnlyContext(componentContext);
@@ -182,19 +227,21 @@
log.error(ne);
}
- //Set the valves for the context
- if (enc != null){
+ // Set the valves for the context
+ if (enc != null) {
ComponentContextValve contextValve = new
ComponentContextValve(enc);
((StandardContext) context).addValve(contextValve);
}
- if (transactionContextManager != null){
- TransactionContextValve transactionValve = new
TransactionContextValve(transactionContextManager);
+ if (transactionContextManager != null) {
+ TransactionContextValve transactionValve = new
TransactionContextValve(
+ transactionContextManager);
((StandardContext) context).addValve(transactionValve);
}
- if (policyContextID != null){
- PolicyContextValve policyValve = new
PolicyContextValve(policyContextID);
+ if (policyContextID != null) {
+ PolicyContextValve policyValve = new PolicyContextValve(
+ policyContextID);
((StandardContext) context).addValve(policyValve);
}
}
@@ -215,6 +262,42 @@
this.path = path;
}
+ /**
+ * ObjectName must match this pattern: <p/>
+ *
domain:j2eeType=WebModule,name=MyName,J2EEServer=MyServer,J2EEApplication=MyApplication
+ */
+ private void verifyObjectName(ObjectName objectName) {
+ if (objectName.isPattern()) {
+ throw new InvalidObjectNameException(
+ "ObjectName can not be a pattern", objectName);
+ }
+ Hashtable keyPropertyList = objectName.getKeyPropertyList();
+ if (!NameFactory.WEB_MODULE.equals(keyPropertyList.get("j2eeType"))) {
+ throw new InvalidObjectNameException(
+ "WebModule object name j2eeType property must be
'WebModule'",
+ objectName);
+ }
+ if (!keyPropertyList.containsKey(NameFactory.J2EE_NAME)) {
+ throw new InvalidObjectNameException(
+ "WebModule object must contain a name property",
objectName);
+ }
+ if (!keyPropertyList.containsKey(NameFactory.J2EE_SERVER)) {
+ throw new InvalidObjectNameException(
+ "WebModule object name must contain a J2EEServer property",
+ objectName);
+ }
+ if (!keyPropertyList.containsKey(NameFactory.J2EE_APPLICATION)) {
+ throw new InvalidObjectNameException(
+ "WebModule object name must contain a J2EEApplication
property",
+ objectName);
+ }
+ if (keyPropertyList.size() != 4) {
+ throw new InvalidObjectNameException(
+ "WebModule object name can only have j2eeType, name,
J2EEApplication, and J2EEServer properties",
+ objectName);
+ }
+ }
+
public void doStart() throws Exception {
// See the note of TomcatContainer::addContext
@@ -240,58 +323,69 @@
public static final GBeanInfo GBEAN_INFO;
static {
- GBeanInfoBuilder infoFactory = new GBeanInfoBuilder("Tomcat
WebApplication Context", TomcatWebAppContext.class, NameFactory.WEB_MODULE);
-
- infoFactory.addAttribute("webAppRoot", URI.class, true);
- infoFactory.addAttribute("webClassPath", URI[].class, true);
- infoFactory.addAttribute("configurationBaseUrl", URL.class, true);
-
- infoFactory.addAttribute("path", String.class, true);
-
- infoFactory.addAttribute("loginConfig", LoginConfig.class, true);
-
- infoFactory.addAttribute("tomcatRealm", Realm.class, true);
- infoFactory.addAttribute("securityConstraints", Set.class, true);
-
- infoFactory.addAttribute("policyContextID", String.class, true);
- infoFactory.addAttribute("loginDomainName", String.class, true);
- infoFactory.addAttribute("securityConfig", Security.class, true);
- infoFactory.addAttribute("securityRoles", Set.class, true);
- infoFactory.addAttribute("uncheckedPermissions",
PermissionCollection.class, true);
- infoFactory.addAttribute("excludedPermissions",
PermissionCollection.class, true);
- infoFactory.addAttribute("rolePermissions", Map.class, true);
-
- infoFactory.addAttribute("componentContext", Map.class, true);
- infoFactory.addAttribute("userTransaction",
OnlineUserTransaction.class, true);
- infoFactory.addReference("TransactionContextManager",
TransactionContextManager.class, NameFactory.JTA_RESOURCE);
- infoFactory.addReference("TrackedConnectionAssociator",
TrackedConnectionAssociator.class, NameFactory.JCA_RESOURCE);
-
- infoFactory.addReference("Container", TomcatContainer.class,
NameFactory.GERONIMO_SERVICE);
- infoFactory.addAttribute("kernel", Kernel.class, false);
-
- infoFactory.setConstructor(new String[]{
- "webAppRoot",
- "webClassPath",
- "configurationBaseUrl",
- "loginConfig",
- "tomcatRealm",
- "securityConstraints",
- "policyContextID",
- "loginDomainName",
- "securityConfig",
- "securityRoles",
- "uncheckedPermissions",
- "excludedPermissions",
- "rolePermissions",
- "componentContext",
- "userTransaction",
- "TransactionContextManager",
- "TrackedConnectionAssociator",
- "Container",
- "kernel"
- });
+ GBeanInfoBuilder infoBuilder = new GBeanInfoBuilder(
+ "Tomcat WebApplication Context", TomcatWebAppContext.class,
+ NameFactory.WEB_MODULE);
+
+ infoBuilder.addAttribute("objectName", String.class, false);
+ infoBuilder.addAttribute("deploymentDescriptor", String.class, true);
+ infoBuilder.addAttribute("webAppRoot", URI.class, true);
+ infoBuilder.addAttribute("webClassPath", URI[].class, true);
+ infoBuilder.addAttribute("configurationBaseUrl", URL.class, true);
+
+ infoBuilder.addAttribute("path", String.class, true);
+
+ infoBuilder.addAttribute("loginConfig", LoginConfig.class, true);
+
+ infoBuilder.addAttribute("tomcatRealm", Realm.class, true);
+ infoBuilder.addAttribute("securityConstraints", Set.class, true);
+
+ infoBuilder.addAttribute("policyContextID", String.class, true);
+ infoBuilder.addAttribute("loginDomainName", String.class, true);
+ infoBuilder.addAttribute("securityConfig", Security.class, true);
+ infoBuilder.addAttribute("securityRoles", Set.class, true);
+ infoBuilder.addAttribute("componentContext", Map.class, true);
+ infoBuilder.addAttribute("userTransaction",
+ OnlineUserTransaction.class, true);
+ infoBuilder.addReference("TransactionContextManager",
+ TransactionContextManager.class, NameFactory.JTA_RESOURCE);
+ infoBuilder.addReference("TrackedConnectionAssociator",
+ TrackedConnectionAssociator.class, NameFactory.JCA_RESOURCE);
+
+ infoBuilder.addReference("Container", TomcatContainer.class,
+ NameFactory.GERONIMO_SERVICE);
+ infoBuilder.addReference("RoleDesignateSource",
+ RoleDesignateSource.class, NameFactory.JACC_MANAGER);
+ infoBuilder.addReference("J2EEServer", J2EEServer.class);
+ infoBuilder.addReference("J2EEApplication", J2EEApplication.class);
+ infoBuilder.addAttribute("kernel", Kernel.class, false);
+
+ infoBuilder.setConstructor(new String[] {
+ "objectName",
+ "deploymentDescriptor",
+ "webAppRoot",
+ "webClassPath",
+ "configurationBaseUrl",
+ "loginConfig",
+ "tomcatRealm",
+ "securityConstraints",
+ "policyContextID",
+ "loginDomainName",
+ "securityConfig",
+ "securityRoles",
+ "componentContext",
+ "userTransaction",
+ "TransactionContextManager",
+ "TrackedConnectionAssociator",
+ "Container",
+ "RoleDesignateSource",
+ "J2EEServer",
+ "J2EEApplication",
+ "kernel"
+ }
+ );
- GBEAN_INFO = infoFactory.getBeanInfo();
+ GBEAN_INFO = infoBuilder.getBeanInfo();
}
public static GBeanInfo getGBeanInfo() {
Modified:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java
(original)
+++
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/deployment/TomcatModuleBuilder.java
Sun Apr 17 10:01:00 2005
@@ -52,6 +52,9 @@
import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContextImpl;
import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
import org.apache.geronimo.schema.SchemaConversionUtils;
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deployment.SecurityBuilder;
+import org.apache.geronimo.security.deployment.SecurityConfiguration;
import org.apache.geronimo.tomcat.TomcatWebAppContext;
import org.apache.geronimo.xbeans.geronimo.jetty.JettyWebAppDocument;
import org.apache.geronimo.xbeans.geronimo.jetty.JettyWebAppType;
@@ -113,6 +116,13 @@
try {
gbean = new GBeanData(TomcatWebAppContext.GBEAN_INFO);
+ gbean.setReferencePattern("J2EEServer",
earContext.getServerObjectName());
+ if (!earContext.getJ2EEApplicationName().equals("null")) {
+ gbean.setReferencePattern("J2EEApplication",
earContext.getApplicationObjectName());
+ }
+
+ gbean.setAttribute("deploymentDescriptor",
module.getOriginalSpecDD());
+
gbean.setName(webModuleName);
gbean.setAttribute("webAppRoot", baseUri);
gbean.setAttribute("webClassPath", webClassPath);
@@ -125,6 +135,7 @@
gbean.setAttribute("path", webModule.getContextRoot());
gbean.setReferencePattern("Container", tomcatContainerObjectName);
+
} catch (Exception e) {
throw new DeploymentException("Unable to initialize webapp GBean",
e);
}
Modified:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
(original)
+++
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
Sun Apr 17 10:01:00 2005
@@ -41,6 +41,7 @@
String oldId = PolicyContext.getContextID();
PolicyContext.setContextID(policyContextID);
+ PolicyContext.setHandlerData(request);
// Pass this request on to the next valve in our pipeline
getNext().invoke(request, response);
Modified: geronimo/trunk/modules/tomcat/src/plan/tomcat-plan.xml
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/plan/tomcat-plan.xml?view=diff&r1=161666&r2=161667
==============================================================================
--- geronimo/trunk/modules/tomcat/src/plan/tomcat-plan.xml (original)
+++ geronimo/trunk/modules/tomcat/src/plan/tomcat-plan.xml Sun Apr 17 10:01:00
2005
@@ -88,7 +88,6 @@
<gbean gbeanName="geronimo.server:type=WebContainer,container=Tomcat"
class="org.apache.geronimo.tomcat.TomcatContainer">
<attribute name="catalinaHome">var/catalina</attribute>
<attribute name="port">8090</attribute>
- <attribute name="endorsedDirs">lib</attribute>
<reference
name="ServerInfo"><gbean-name>geronimo.system:role=ServerInfo</gbean-name></reference>
</gbean>
<gbean
gbeanName="geronimo.server:type=WebConnector,container=Tomcat,port=8090"
class="org.apache.geronimo.tomcat.connector.HTTPConnector">
Modified:
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java
(original)
+++
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java
Sun Apr 17 10:01:00 2005
@@ -19,7 +19,9 @@
import java.io.File;
import java.net.URI;
import java.security.PermissionCollection;
+import java.security.Permissions;
import java.util.*;
+
import javax.management.ObjectName;
import junit.framework.TestCase;
@@ -34,11 +36,13 @@
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.kernel.management.State;
import org.apache.geronimo.security.SecurityServiceImpl;
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.deploy.Principal;
-import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.security.jaas.GeronimoLoginConfiguration;
import org.apache.geronimo.security.jaas.JaasLoginService;
import org.apache.geronimo.security.jaas.LoginModuleGBean;
+import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
import org.apache.geronimo.security.realm.GenericSecurityRealm;
import org.apache.geronimo.system.serverinfo.ServerInfo;
import org.apache.geronimo.tomcat.connector.HTTPConnector;
@@ -104,13 +108,26 @@
}
protected ObjectName setUpJAASSecureAppContext(Set securityConstraints,
Set securityRoles) throws Exception {
+ ObjectName jaccBeanName = NameFactory.getComponentName(null, null,
null, null, "foo", NameFactory.JACC_MANAGER, moduleContext);
+ GBeanData jaccBeanData = new GBeanData(jaccBeanName,
ApplicationPolicyConfigurationManager.GBEAN_INFO);
+ PermissionCollection excludedPermissions= new Permissions();
+ PermissionCollection uncheckedPermissions= new Permissions();
+ ComponentPermissions componentPermissions = new
ComponentPermissions(excludedPermissions, uncheckedPermissions, new HashMap());
+ Map contextIDToPermissionsMap = new HashMap();
+ contextIDToPermissionsMap.put(POLICY_CONTEXT_ID, componentPermissions);
+ jaccBeanData.setAttribute("contextIdToPermissionsMap",
contextIDToPermissionsMap);
+ jaccBeanData.setAttribute("principalRoleMap", new HashMap());
+ jaccBeanData.setAttribute("roleDesignates", new HashMap());
+ start(jaccBeanData);
+
GBeanData app = new GBeanData(webModuleName,
TomcatWebAppContext.GBEAN_INFO);
app.setAttribute("webAppRoot", new
File("target/var/catalina/webapps/war3/").toURI());
app.setAttribute("webClassPath", new URI[]{});
app.setAttribute("configurationBaseUrl", new
File("target/var/catalina/webapps/war3/WEB-INF/web.xml").toURL());
app.setAttribute("path", "/securetest");
app.setAttribute("policyContextID", POLICY_CONTEXT_ID);
-
+ app.setReferencePattern("RoleDesignateSource", jaccBeanName);
+
LoginConfig loginConfig = new LoginConfig();
loginConfig.setAuthMethod(Constants.FORM_METHOD);
loginConfig.setRealmName("Test JAAS Realm");
@@ -141,13 +158,23 @@
return webModuleName;
}
- protected ObjectName setUpSecureAppContext(Security securityConfig,
- Set securityConstraints,
- PermissionCollection
uncheckedPermissions,
- PermissionCollection
excludedPermissions,
- Map rolePermissions,
+ protected ObjectName setUpSecureAppContext(Set securityConstraints,
+ Map roleDesignates,
+ Map principalRoleMap,
+ ComponentPermissions
componentPermissions,
+ DefaultPrincipal
defaultPrincipal,
+ PermissionCollection checked,
Set securityRoles)
throws Exception {
+
+ ObjectName jaccBeanName = NameFactory.getComponentName(null, null,
null, null, "foo", NameFactory.JACC_MANAGER, moduleContext);
+ GBeanData jaccBeanData = new GBeanData(jaccBeanName,
ApplicationPolicyConfigurationManager.GBEAN_INFO);
+ Map contextIDToPermissionsMap = new HashMap();
+ contextIDToPermissionsMap.put(POLICY_CONTEXT_ID, componentPermissions);
+ jaccBeanData.setAttribute("contextIdToPermissionsMap",
contextIDToPermissionsMap);
+ jaccBeanData.setAttribute("principalRoleMap", principalRoleMap);
+ jaccBeanData.setAttribute("roleDesignates", roleDesignates);
+ start(jaccBeanData);
GBeanData app = new GBeanData(webModuleName,
TomcatWebAppContext.GBEAN_INFO);
app.setAttribute("webAppRoot", new
File("target/var/catalina/webapps/war3/").toURI());
@@ -155,6 +182,7 @@
app.setAttribute("configurationBaseUrl", new
File("target/var/catalina/webapps/war3/WEB-INF/web.xml").toURL());
app.setAttribute("path", "/securetest");
app.setAttribute("policyContextID", POLICY_CONTEXT_ID);
+ app.setReferencePattern("RoleDesignateSource", jaccBeanName);
LoginConfig loginConfig = new LoginConfig();
loginConfig.setAuthMethod(Constants.FORM_METHOD);
@@ -167,12 +195,11 @@
app.setAttribute("securityRoles", securityRoles);
TomcatGeronimoRealm realm = new TomcatGeronimoRealm(POLICY_CONTEXT_ID,
- securityConfig,
+ defaultPrincipal,
"demo-properties-realm",
- securityRoles,
-
uncheckedPermissions,
-
excludedPermissions,
- rolePermissions);
+ checked,
+
componentPermissions.getExcludedPermissions(),
+ roleDesignates);
realm.setUserClassNames("org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal");
realm.setRoleClassNames("org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal");
app.setAttribute("tomcatRealm", realm);
@@ -264,7 +291,7 @@
cl = this.getClass().getClassLoader();
containerName = NameFactory.getWebComponentName(null, null, null,
null, "tomcatContainer", "WebResource", moduleContext);
connectorName = NameFactory.getWebComponentName(null, null, null,
null, "tomcatConnector", "WebResource", moduleContext);
- webModuleName = NameFactory.getWebComponentName(null, null, null,
null, NameFactory.WEB_MODULE, "WebResource", moduleContext);
+ webModuleName = NameFactory.getModuleName(null, null, null, null,
"testModule", moduleContext);
tmName = NameFactory.getComponentName(null, null, null, null,
"TransactionManager", NameFactory.JTA_RESOURCE, moduleContext);
tcmName = NameFactory.getComponentName(null, null, null, null,
"TransactionContextManager", NameFactory.JTA_RESOURCE, moduleContext);
@@ -283,7 +310,6 @@
// Need to override the constructor for unit tests
container = new GBeanData(containerName, TomcatContainer.GBEAN_INFO);
container.setAttribute("catalinaHome", "target/var/catalina");
- container.setAttribute("endorsedDirs", "target/endorsed");
container.setReferencePattern("ServerInfo", serverInfoName);
connector = new GBeanData(connectorName, HTTPConnector.GBEAN_INFO);
Modified:
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/JACCSecurityTest.java
URL:
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/JACCSecurityTest.java?view=diff&r1=161666&r2=161667
==============================================================================
---
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/JACCSecurityTest.java
(original)
+++
geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/JACCSecurityTest.java
Sun Apr 17 10:01:00 2005
@@ -25,20 +25,28 @@
import java.security.Permissions;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.management.ObjectName;
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
import org.apache.catalina.deploy.SecurityCollection;
import org.apache.catalina.deploy.SecurityConstraint;
+import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Principal;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
+import org.apache.geronimo.security.util.ConfigurationUtil;
/**
@@ -56,6 +64,9 @@
* @throws Exception thrown if an error in the test occurs
*/
public void testExplicitMapping() throws Exception {
+
+ Security securityConfig = new Security();
+ securityConfig.setUseContextHandler(false);
Set constraints = new HashSet();
@@ -75,9 +86,6 @@
sc.addCollection(coll);
constraints.add(sc);
- Security securityConfig = new Security();
- securityConfig.setUseContextHandler(false);
-
DefaultPrincipal defaultPrincipal = new DefaultPrincipal();
defaultPrincipal.setRealmName("demo-properties-realm");
Principal principal = new Principal();
@@ -86,7 +94,7 @@
defaultPrincipal.setPrincipal(principal);
securityConfig.setDefaultPrincipal(defaultPrincipal);
-
+
Role role = new Role();
role.setRoleName("content-administrator");
principal = new Principal();
@@ -98,7 +106,11 @@
role.getRealms().put(realm.getRealmName(), realm);
securityConfig.getRoleMappings().put(role.getRoleName(), role);
-
+
+ Map roleDesignates = new HashMap();
+ Map principalRoleMap = new HashMap();
+ buildPrincipalRoleMap(securityConfig, roleDesignates,
principalRoleMap);
+
PermissionCollection uncheckedPermissions = new Permissions();
PermissionCollection excludedPermissions = new Permissions();
@@ -106,17 +118,22 @@
excludedPermissions.add(new WebUserDataPermission("/auth/login.html",
""));
Map rolePermissions = new HashMap();
- Set permissions = new HashSet();
+ PermissionCollection permissions = new Permissions();
permissions.add(new WebUserDataPermission("/protected/*", ""));
permissions.add(new WebResourcePermission("/protected/*", ""));
rolePermissions.put("content-administrator", permissions);
rolePermissions.put("auto-administrator", permissions);
+
+ PermissionCollection checked = permissions;
+ ComponentPermissions componentPermissions = new
ComponentPermissions(excludedPermissions, uncheckedPermissions,
rolePermissions);
+
Set securityRoles = new HashSet();
securityRoles.add("content-administrator");
securityRoles.add("auto-administrator");
- startWebApp(securityConfig, constraints, uncheckedPermissions,
excludedPermissions, rolePermissions, securityRoles);
+ startWebApp(constraints, roleDesignates, principalRoleMap,
componentPermissions,
+ defaultPrincipal, checked, securityRoles);
//Begin the test
HttpURLConnection connection = (HttpURLConnection) new
URL("http://localhost:8080/securetest/protected/hello.txt";).openConnection();
@@ -185,15 +202,17 @@
stopWebApp();
}
- protected void startWebApp(Security securityConfig,
- Set securityConstraints,
- PermissionCollection uncheckedPermissions,
- PermissionCollection excludedPermissions,
- Map rolePermissions,
- Set securityRoles) throws Exception {
+ protected void startWebApp(
+ Set securityConstraints,
+ Map roleDesignates,
+ Map principalRoleMap,
+ ComponentPermissions componentPermissions,
+ DefaultPrincipal defaultPrincipal,
+ PermissionCollection checked,
+ Set securityRoles) throws Exception {
- appName = setUpSecureAppContext(securityConfig, securityConstraints,
uncheckedPermissions,
- excludedPermissions, rolePermissions,
securityRoles);
+ appName = setUpSecureAppContext(securityConstraints, roleDesignates,
principalRoleMap,
+ componentPermissions, defaultPrincipal, checked,
securityRoles);
}
@@ -202,6 +221,82 @@
stop(appName);
}
+ public static void buildPrincipalRoleMap(Security security, Map
roleDesignates, Map principalRoleMap) throws DeploymentException {
+ Map roleToPrincipalMap = new HashMap();
+ buildRolePrincipalMap(security, roleDesignates, roleToPrincipalMap);
+ invertMap(roleToPrincipalMap, principalRoleMap);
+ }
+
+ private static Map invertMap(Map roleToPrincipalMap, Map
principalRoleMapping) {
+ for (Iterator roles = roleToPrincipalMap.entrySet().iterator();
roles.hasNext();) {
+ Map.Entry entry = (Map.Entry) roles.next();
+ String role = (String) entry.getKey();
+ Set principals = (Set) entry.getValue();
+ for (Iterator iter = principals.iterator(); iter.hasNext();) {
+ java.security.Principal principal = (java.security.Principal)
iter.next();
+
+ HashSet roleSet = (HashSet)
principalRoleMapping.get(principal);
+ if (roleSet == null) {
+ roleSet = new HashSet();
+ principalRoleMapping.put(principal, roleSet);
+ }
+ roleSet.add(role);
+ }
+ }
+ return principalRoleMapping;
+ }
+
+ private static void buildRolePrincipalMap(Security security, Map
roleDesignates, Map roleToPrincipalMap) throws DeploymentException {
+
+ Iterator rollMappings = security.getRoleMappings().values().iterator();
+ while (rollMappings.hasNext()) {
+ Role role = (Role) rollMappings.next();
+
+ String roleName = role.getRoleName();
+ Subject roleDesignate = new Subject();
+ Set principalSet = new HashSet();
+
+ Iterator realms = role.getRealms().values().iterator();
+ while (realms.hasNext()) {
+ Realm realm = (Realm) realms.next();
+
+ Iterator principals = realm.getPrincipals().iterator();
+ while (principals.hasNext()) {
+ Principal principal = (Principal) principals.next();
+
+ RealmPrincipal realmPrincipal =
ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
+
+ if (realmPrincipal == null) throw new
DeploymentException("Unable to create realm principal");
+
+ principalSet.add(realmPrincipal);
+ if (principal.isDesignatedRunAs())
roleDesignate.getPrincipals().add(realmPrincipal);
+ }
+ }
+
+ for (Iterator names = role.getDNames().iterator();
names.hasNext();) {
+ DistinguishedName dn = (DistinguishedName) names.next();
+
+ X500Principal x500Principal =
ConfigurationUtil.generateX500Principal(dn.getName());
+
+ principalSet.add(x500Principal);
+ if (dn.isDesignatedRunAs()) {
+ roleDesignate.getPrincipals().add(x500Principal);
+ }
+ }
+
+ Set roleMapping = (Set) roleToPrincipalMap.get(roleName);
+ if (roleMapping == null) {
+ roleMapping = new HashSet();
+ roleToPrincipalMap.put(roleName, roleMapping);
+ }
+ roleMapping.addAll(principalSet);
+
+ if (roleDesignate.getPrincipals().size() > 0) {
+ roleDesignates.put(roleName, roleDesignate);
+ }
+ }
+ }
+
protected void setUp() throws Exception {
super.setUp();
setUpSecurity();
